K
Q

Permission compute.regions.get error in terraform google kubernetes engine

3/19/2020

I'm trying to use terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster module of version "~> 7.3" to create a cluster in region europe-west2. But I keep getting error:

Error: googleapi: Error 403: Google Compute Engine: Required 'compute.regions.get' 
permission for 'projects/***/regions/europe-west2'., forbidden

The weird thing is that I'm trying to do that using user with Editor role. So, it should have permission to read region. I tried to add more roles for the user (made it all kind of admins), but the result is still the same. Could you please advice, where can be my mistake?

-- Denis
google-cloud-platform
google-kubernetes-engine
kubernetes
terraform

Similar Questions

cassandra node on k8s cannot discover other nodes after statefulset upgrade
KubernetesPodOperator specify dictionary resources
GKE: How to alert on memory request/allocatable ratio?
How to access kubernetes CRD using client-go?

2 Answers

3/22/2020

I managed to solve that problem. It appeared that my provisioner dropped some roles, which are required for GKE to work properly. In particular,

  • serviceAccount:service-${project-number}@compute-system.iam.gserviceaccount.com must be roles/compute.serviceAgent.

  • serviceAccount:service-${project-number}@container-engine-robot.iam.gserviceaccount.com must be roles/compute.serviceAgent.

To find that I disabled Kubernetes engine service and enabled it back and google cloud automatically recovered required roles for that service accounts.

-- Denis
Source: StackOverflow
3/20/2020

Please check if your [id]@cloudservices.gserviceaccount.com service account has the editor role.

List all service accounts with gcloud projects get-iam-policy [project-id] command and look for the account. it should look similar to this:

- members:
  - serviceAccount:67993345594-compute@developer.gserviceaccount.com
  - serviceAccount:679934532594@cloudservices.gserviceaccount.com
  - serviceAccount:service-674567382594@containerregistry.iam.gserviceaccount.com
  - serviceAccount:test2-468@asdf.iam.gserviceaccount.com
  - serviceAccount:asdf@appspot.gserviceaccount.com
  role: roles/editor

Second from the top is the account you're looking for and the bottom line says "roles/editor" which is the correct situation.

If this account doesn't have this role you can grant it using command:

gcloud projects add-iam-policy-binding [project] / 
--member serviceAccount:[id]@cloudservices.gserviceaccount.com --role roles/editor

It's all described in the documentation.

Very similar issues were discussed on StackOverflow here and here.

-- W_B
Source: StackOverflow